VDB
KO

MAL-2026-6994

Malicious code in chai-presentation (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (854dd2b8a43d8936f153925a2af8ee8de5d18647149aeba69fb0329eaa461b93) The package presents itself as a chai assertion plugin but its main entrypoint index.js contains an appended IIFE that, on every require, performs an HTTPS GET against https://www.jsonkeeper.com/b/PC5CK, takes the `cookie` field from the JSON response, wraps it in `new Function('require',...)`, and invokes it with the package's own `require` — giving the fetched payload full Node privileges in the importing process. index.js additionally spawns a detached, stdio-ignored Node child running lib/caller.js, which loops an HTTP GET against a URL constructed from lib/config.js and, on a 404 with a `token` body, evaluates that body via `new (Function.constructor)('require', res.token)` — a second, backgrounded remote-code-execution channel that survives the parent. The advertised chai helpers and an unrelated bundled 'flowlimit' lib/ tree serve as cover for the loaders. jsonkeeper.com is a mutable paste-style host, so the delivered payload can change silently without a package update.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / chai-presentation

No fixed version published yet for chai-presentation (npm). Pin to a known-safe version or switch to an alternative.

References